AU8349598A - Monitoring a communication network - Google Patents
Monitoring a communication network Download PDFInfo
- Publication number
- AU8349598A AU8349598A AU83495/98A AU8349598A AU8349598A AU 8349598 A AU8349598 A AU 8349598A AU 83495/98 A AU83495/98 A AU 83495/98A AU 8349598 A AU8349598 A AU 8349598A AU 8349598 A AU8349598 A AU 8349598A
- Authority
- AU
- Australia
- Prior art keywords
- communication
- entities
- entity
- marked
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M3/00—Automatic or semi-automatic exchanges
- H04M3/22—Arrangements for supervision, monitoring or testing
- H04M3/36—Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M15/00—Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q3/00—Selecting arrangements
- H04Q3/0016—Arrangements providing connection between exchanges
- H04Q3/0062—Provisions for network management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Telephonic Communication Services (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Meter Arrangements (AREA)
- Monitoring And Testing Of Exchanges (AREA)
Description
WO 99/U05847 PCT/GB98/02077 1 MONITORING A COMMUNICATION NETWORK The present invention relates to a communication network such as a telecommunications network and more particularly to the method of and apparatus 5 for monitoring communications and communication patterns, for example, to detect fraudulent use of a telecommunications network. There are many applications where it would be useful to be able to monitor communication patterns in a network. One such application is for detecting fraud in a telecommunications network. When fraud is perpetrated in a telecommunications 10 network, it is often as a result of an organised ring of activity. However, the ringleader is rarely caught quickly since he will not directly make any fraudulent calls but will use accomplices to do this for him. Currently the detection of ringleaders of such fraud groups requires a significant amount of analysis which is performed off line using large amounts of 15 gathered data. Since this process is far from real time, the fraud ring exists for longer than is perhaps necessary. It is an object of the present invention to provide a method of and an apparatus for monitoring communication patterns over a network and for monitoring communications over a network which can be used to detect fraudulent activity 20 within, for example, a telecommunications network. In accordance with a first aspect the present invention provides a method of monitoring communication patterns over a network, the method comprising: an initial step of associating a mark with one or more entities in the communication network; 25 a detecting step of detecting communications between the or each marked entity and at least one further entity; and a -marking step of associating a mark with each further entity that communicates with the or each marked entity. This aspect of the present invention also provides apparatus for monitoring 30 communication patterns over a network, the apparatus comprising: initial marking means for associating a mark with one or more entities of the communication network; detection means for detecting communications between the or each marked entity and at least one further entity; and wu wiaiu4 PCT/GB98/02077 2 marking means for associating a mark with each further entity that communicates with the or each marked entity. This aspect of the present invention allows for the monitoring of communication patterns by detecting communications between origination and 5 destinations e.g. communication addresses or users. This process acts as a possible fraud marking system to mark each address, node or user in the network to indicate a spread of communications. In a fraud detection system this can be used to indicate a possible site of fraudulent activity. In one embodiment the mark associated with each marked entity has a value 10 and marking is carried out by associating a mark value with each entity that communicates with an entity previously marked, where the mark value is calculated as a function of the mark value of the previously marked entity. In this way, the 'diffusion' of communications throughout the network from an origination point or entity can be monitored by looking at the values for each entity. Those entities 15 which communicate with marked entities more frequently will accrue a higher value and thus the spread of communications can be monitored with a higher degree of accuracy. One method of calculating the mark value comprises passing a fraction of the mark value of the previously marked entity to each entity that communicates 20 with the previously marked entity. In order to generate an average picture of communication activities between marked points in the communication network, the mark values can be made to fade with time. In a fraud detection system this enables the removal of suspicion from legitimate users who may have happened to have made a single call or infrequent 25 calls to a suspicious user. The mark values used can be calculated in many different ways. If a communication is detected between marked entities, the mark values associated with each of the entities can be changed as a function of the current mark values of the entities. 30 Points of high network activity e.g. fraudulent activity can be detected by comparing the mark values associated with the entities with a predetermined range, and identifying the or each entity having a mark value associated therewith which is outside the predetermined range. In this way, in a fraud detection system when the fraudulent activity reaches a certain level i.e. the mark values or suspicion values wu 99i um4/ PCT/GB98/02077 3 associated with points of the network reach a threshold, then these can be highlighted to allow intervention by operators of a fraud management system. In a network more than one entity may be initially marked. In order to enable the communication patterns originating from each of the marked entities to be 5 distinguished, the respective marked entities can be initially marked with respective unique marks and each entity that communicates with the or each marked entity is marked with a respective unique mark. In this way the 'diffusion' of communications throughout the network which originate from different points in the network can be distinguished. 10 In accordance with a second aspect of the present invention there is provided a method of monitoring communications over a network, the method comprising: a marking step of associating marks with entities in the communication network; 15 a detecting step of detecting communications between the marked entities; and a generating step of generating a signal indicative of the detected communications between the marked entities. This aspect of the present invention also provides apparatus for monitoring 20 communications over a network, the apparatus comprising: marking means for associating marks with entities in the communication network; detection means for detecting communications between the marked entities; and 25 generating means for generating a signal indicative of the detected communications between the marked entities. In accordance with this aspect communications between marked entities are detected and in a fraud management system communications between marked entities could be indicative of fraudulent activity. 30 In one embodiment mark values are associated with the entities and the mark values of the entities which are in communication are detected. A value for the communication is generated based on a function of the detected mark values for the communication. The value for the communication can then be compared with a predetermined range and it can be identified whether the value for the wu ~iUa4/ PCT/GB98/02077 4 communication is outside the predetermined range. In this way, in a fraud detection system, communications between suspicious points in the network can be monitored and if the points in the network are highly suspicious, the communication will also be marked as being highly suspicious and can be brought to the attention of an operator 5 of a fraud management system. In the communication network in accordance with the present invention entities can include communication nodes as communication originations and/or destinations, e.g. in a telecommunication network the communication nodes comprise telephone numbers. Also, the entities can include purported users who are 10 identified by user related code as communication origination, e.g. in a telecommunications network an entity can comprise a charge card number or a personal number. The user related code may be used at any communication node and since charge cards and personal numbers are particularly prone to fraud, the ability to associate suspicion with such a user related code is important. It is not 15 sufficient to merely associate suspicion with communication nodes since charge cards and personal codes may be used on any communication node for making a fraudulent communication. Embodiments of the present invention will now be described with reference to the accompanying drawings, in which: 20 Figure 1 is a schematic drawing of a telecommunications network employing a suspicion system in accordance with an embodiment of the present invention; Figure 2 is a schematic diagram of the suspicion system of Figure 1; Figure 3 is a schematic drawing illustrating the 'diffusion' of suspicion throughout a network; 25 Figures 4a and 4b comprise a flow diagram illustrating a method of monitoring fraudulent activity in a telecommunication system in accordance with one embodiment of the present invention; Figure 5 is a flow diagram illustrating a method of monitoring fraudulent communications in accordance with an embodiment of the present invention; and 30 Figure 6 is a flow diagram illustrating the automatic assignment of suspicion to an entity in a communication network. Referring now to Figure 1, there is illustrated schematically a telecommunications network utilizing the suspicion system in accordance with a known embodiment of the present invention to monitor fraudulent activity.
WU 99i/U"4I PCT/GB98/02077 5 Telephone handsets 1 a, 1 b, 1 c and 1 d make calls which are routed via the Digital Local Exchanges (DLE) 2a and 2b either to other local handsets 1 a, 1 b, 1 c and 1 d or to a network of switches 3a, 3b and 3c. A Fraud Management System (FMS) 4 monitors communications over the network of switches 3a, 3b and 3c in order to 5 detect any fraudulent activity. Although in this embodiment the fraud management system monitors fraud at the switches, also or alternatively fraud could be monitored at the digital local exchanges. The fraud management system 4 can comprise any known fraud management system such as one which incorporates rule based fraud detection. 10 Such types of fraud management systems are well known and are outside the scope of the present invention. The monitoring of the communications by the fraud management system are passed on to a suspicion system 5 which has a suspicion database 6 associated therewith. Figure 2 illustrates in more detail the suspicion system 5 and database 6 of 15 Figure 1. A call information interface 10 provides the suspicion processor 11 with call information from the network of switches 3a, 3b and 3c. The suspicion processor 11 calculates a suspicion value for each point in the network in accordance with the call information and the calculated suspicion values for the points in the network are stored in the network suspicion database 14. The 20 suspicion processor 11 calculates a suspicion value for calls between suspicious points in the network and if a call has a suspicion value higher than a threshold, the suspicion processor 11 can cause the alarm unit 12 to warn an operator that a suspicious call is being made. A timer 13 is provided for decaying or fading the suspicion values for the points in the network in order to remove suspicion from the 25 legitimate customers over a predetermined period of time. Figure 3 illustrates the principles of the passage of suspicion over a network of nodes A to B. Node A is initially marked as suspicious and is assigned a suspicion value of 100%. A call is made to node B which is therefore assigned a suspicion value of 50%. Node B then makes a call to node C and node C is thus assigned a 30 suspicion value of 25%. Subsequently node A makes a call to node C and thus the suspicion value of node C increases to 75%. Node D makes a call to node C and is thus assigned a suspicion value of 37%. Node C then makes a call to node F and node F is assigned a suspicion value of 37%. Node F then makes a call to node G WU 99/U54I PCT/GB98/02077 6 and node G is assigned a suspicion value of 17%. Since node E has had no contact with any of the nodes A-D, F or G, there is no suspicion value assigned to it. It can thus been seen from Figure 3 that a communication pattern of the network is monitored and a pattern of fraudulent activity can be detected. 5 It should be noted whilst specific values and fractions for the passage of suspicion values are used in order to illustrate the principles with reference to Figure 3, any suitable method can be used to calculate the passage of suspicion values over the network. In accordance with the principles of Figure 3, initially a fraudster's telephone 10 activity is registered as unusual on a fraud detection system. This may result in a number of alarms being raised, and possibly the user's number being barred from further usage. When the call has been registered as being unusual a suspicion value may be associated with the user in a database which contains lists of suspicious telephone numbers together with their associated suspicion value and the telephone 15 owner. Alternatively, this could be integrated into the normal billing database, although transaction speed would be reduced. Thus, the system can operate off line although to improve the fraud detection rate it is preferred to operate the system on line. The suspicion value is likely to be based on the severity of the recorded incident, for example, a call of slightly long duration would have a suspicion which is 20 a lot lower than a call to a known fraudulent location which would in turn have a lower suspicion than a suspicion based on a telephone number which has been barred recently. Once a suspicion has been recorded for a user, there are a number of opportunities for using this information pro-actively. 25 If a call is made from a telephone which has a suspicion associated with it, the telephone number that is dialled can also have a suspicion value associated with it. The suspicion value associated with this new number will have a suspicion value which is lower than the telephone making the call. If the dialled number already has a suspicion rating, the new and old ratings will be combined with an appropriate 30 function. Such a function may be to add the two values together to increase the rating for that telephone, take the highest value of the two, or take an average of the two for example. This latter approach is illustrated in Figure 3. Also, a suspicion rating for the actual call being made can be determined. For example if a call is made from one telephone number to another telephone WU 9OU344/ PCT/GB98/02077 7 number and both have suspicion values associated therewith, the telephone calls may be very suspicious for fraud related purposes. An extension to this idea is that a call made from any number to a number which has a suspicion value will cause the number calling to also be made suspicious 5 i.e. to be assigned a suspicion value (as the node D has acquired a suspicion value for calling the node C in Figure 3). In the arrangement of Figure 3 a single suspicion value is used for both ingoing and outgoing calls. However, two different values may be used one for outgoing calls and the other for incoming calls. In addition to maintaining a suspicion value, the number of suspicious calls 10 made in total or the number of outgoing and incoming suspicious calls can be counted. To provide the most complete information a 'pointer' to the call record which details the call made can be stored for each suspicious call. In this way a trace can be performed of where the fraud chain and gang network exists. 15 Figures 4a and 4b are a flow diagram illustrating the operation of an embodiment of the present invention in a telecommunications network wherein telephone numbers comprise the origination ID and destination ID and user related code in the form of a charge card number or personal number can be used by a user to make a call from any origination ID. Since charge card numbers and personal 20 numbers are particularly susceptible to fraud in view of their portability within a telecommunications network and the ease with which they can be fraudulently obtained, it is important to be able to assign suspicion values not only to actual physical nodes i.e. numbers within the telecommunication network, but also to user related code such as the charge card number or personal numbers or any other entity 25 which identifies an origination or destination within the network. In step S1 the fraud management system receives a call attempt. In step S2 it is determined whether there is a charge card number or personal number associated with the call attempt. If there is no number associated with the call in step S3 the origination ID and destination ID are obtained from the call information 30 and in step S4 it is determined whether the origination ID has a suspicion value associated therewith. If the origination ID has a suspicion value associated therewith, in step S5 it is determined whether the destination ID has a suspicion value associated therewith. If both the origination and destination IDs have a suspicion value associated therewith in step S6 the suspicion values of both the WU 9YU4/ PCT/GB98/02077 8 origination and the destination IDs are increased. If only the origination ID has a suspicion value associated therewith, in step S7 a fraction of the origination suspicion value is assigned to be associated with the destination ID. If in step S4 it is determined that the origination ID does not have a suspicion value associated 5 therewith, in step S8 it is determined whether the destination ID has a suspicion value associated therewith and if so in step S9 a fraction of the destination ID suspicion value is assigned to be associated with the origination ID. When the suspicion value associated with the destination ID and/or the origination ID have been changed in steps S6, S7 or S9, in step S10 it is then determined whether the 10 suspicion value for the origination ID or the destination ID is greater than a threshold. If it is greater than the threshold, in step S11 an alarm can be generated in such a manner as to bring to the attention of an operator of a fraud management system the possibility of a high degree of fraudulent activity taking place. If in step S10 the threshold is not exceeded or in step S8 there is no suspicion value associated with 15 the destination or the origination IDs the process terminates in step S12. If in step S2 it is determined that the call attempt has a charge card number or personal number associated therewith, in step S13 the charge card number or personal number, origination ID and destination ID are read and in step S14 it is determined whether the charge card number or personal number, origination ID, and 20 destination ID each have a suspicion value. If they do, in step S15 the suspicion values of all of these are increased. If not, in step S16 it is determined whether only the origination ID and the destination ID both have a suspicion value. If they do, in step S17 the suspicion value of the origination ID and the destination ID are increased and a fraction of the combined suspicion of these is assigned to the charge 25 card number or the personal number. If the origination ID and the destination ID do not both have a suspicion value in step S18 it is determined whether the origination ID and the charge card number or personal number only both have a suspicion value. If so in step S19 the suspicion value of the origination ID and the charge card number or personal number are increased and a fraction of the combined suspicion 30 value is assigned to the destination ID. If in step S18 it is determined that the origination ID and the charge card number or personal number do not both have a suspicion value, in step S20 it is determined whether only the destination ID and the charge card number or personal number both have a suspicion value. If so in step S21 the suspicion value on the destination ID and the charge card number or wu VWMu54 PCT/GB98/02077 9 personal number are increased and a fraction of the combined suspicion values is assigned to the origination ID. If in step S20 it is determined that only the destination ID and the charge card number or personal number do not both have a suspicion value, in step S22 it is determined whether only one of the origination ID, 5 the destination ID or the charge card number or personal number have a suspicion value. If they do, in step S23 a fraction of the suspicion value is assigned to the others which do not have a suspicion value. If in step S15, S17, S19, S21 or S23 the suspicion value has changed, in step S24 it is determined whether the suspicion value for the charge card number or personal number, the origination ID or the 10 destination ID is greater than the threshold. If so, in step S25 an alarm is generated. If not in step S26 the process is terminated. Also, if it is determined in steps S14, S16, S18, S20 and S22 that neither the charge card number or personal number, the origination ID or the destination ID have a suspicion value associated therewith, the process is terminated in step S26. 15 Thus in this embodiment suspicion values are spread throughout the telecommunications network in accordance with communications made between suspicious points i.e. telephone numbers and/or personal numbers in the network. If a suspicion value for a point in the network moves outside a predetermined range i.e. exceeds a threshold, this can be brought to the attention of an operator of a fraud 20 management system to allow intervention e.g. by preventing further calls to and/or from that point in the network. In this way a call can be barred before the call is completed i.e. as soon as the call attempt is received thus allowing the provision of an automatic fraud prevention system. Figure 5 is a flow diagram of the operation of a system for detecting 25 fraudulent calls. In step S30 a fraud management system receives a call attempt. In step S31 it is determined whether there is a charge card number or personal number associated with the call attempt. If not in step S32 the origination ID and the destination ID of the call are determined and in step S33 it is determined whether the origination ID or the destination ID have a suspicion value associated therewith. If 30 there is no suspicion value associated with the origination ID or the destination ID the process terminates in step S37. If there is a suspicion value associated with the origination ID or the destination ID in step S34 a suspicion value is assigned to the call based on the suspicion values of the origination ID and/or the destination ID. In step S35 it is then determined whether the suspicion value for the call is above the WU vY/UM4/ PCT/GB98/02077 10 threshold. If not the process terminates in step S37. If the suspicion value for the call is above the threshold in step S36 an alarm is generated. This can either allow the operator of a fraud management system to stop the call manually or to look more carefully at the activity, or the call could be automatically prevented. 5 If in step S31 it is determined that there is a charge card member or personal number associated with the call, in step S39 the charge card number or personal number, origination ID and termination ID are read and in step S40 it is determined whether the charge card number or personal number, origination ID or destination ID have a suspicion value associated therewith. If not the process 10 terminates in step S37. If however they do have a suspicion value, in step S41 a suspicion value is assigned to the call based on the suspicion values of the charge card number or personal number, the origination ID and/or the destination ID. In step S42 it is determined whether the suspicion value for the call is above the threshold. If not the process terminates in step S37. If the suspicion value for the call is above 15 the threshold an alarm is generated in step S36 in a manner as described hereinabove. This method allows for the manual or automatic control of calls in a telecommunications network. When calls are made between highly suspicious points in the network, the call made will thus acquire a suspicion value which can allow the 20 call to be barred if necessary. Figure 6 is a flow diagram of a method of initially automatically assigning a suspicion value to a point in the network based on previously determined fraudulent activity. In step S50 the fraud management system raises an alarm for a suspicious call. In step S51 the origination ID and destination ID are sent to the fraud 25 management system supervisor. In step S52 the supervisor can assign a suspicion value to the call origination, and/or destination and in step S53 the suspicion value is stored in the suspicion database for the call origination and/or destination. The call origination and/or destination i.e. the entity in the communications network can comprise any information identifying a communication location, communication 30 node, or a user e.g. telephone number, personal number or charge card number. Thus when calls are subsequently made from or to the origination ID with the suspicion value, suspicion values will permeate throughout the network in accordance with the calls made between suspicious points as described hereinabove.
wU 9W!UP4/ PCTIGB98/02077 11 Although in the embodiments described hereinabove communications have been described as being directly from an origination to a destination i.e. direct communications between single entities in the telecommunications network, the present invention is also applicable to more complex methods of communications. 5 For example, a call may be diverted. In such an arrangement both of the destination entities i.e. nodes can be marked. Also, for personal numbers where a person has a single telephone number and calls are routed to telephone numbers in dependence upon where the user is, both the personal number and the ultimate destination telephone number can be marked. The present invention is also applicable to identify 10 fraud in a telecommunications network where there are more than two participants e.g. in a three way conversion or when a conference call has been set up. Although the present invention as has been described hereinabove with reference to a telecommunications network, the present invention is applicable to any network to enable the monitoring of communications between marked nodes 15 and to build up a pattern of communications from one or more marked nodes or points in the network. This simple labelling technique can provide useful information for the management or control of any kind of network such as a network of computers. The information can for instance be used to obtain a pattern of network traffic originating from a point in order to design efficient network connections. 20 Although the present invention has been described hereinabove with reference to specific embodiments, it will be apparent to a skilled person in the art that modifications are possible within the scope of the present invention as defined by the appended claims.
Claims (42)
1. A method of monitoring communication patterns over a network, the method comprising: 5 an initial step of associating a mark with one or more entities in the communication network; a detecting step of detecting communications between the or each marked entity and at least one further entity; and a marking step of associating a mark with each further entity that 10 communicates with the or each marked entity.
2. A method according to claim 1 wherein said detecting step and said marking step are carried out for a plurality of communications. 15
3. A method according to claim 1 or claim 2 wherein the mark associated with each marked entity has a value and said marking step comprises associating a mark value with each entity that communicates with an entity previously marked, said mark value being calculated as a function of the mark value of the previously marked entity. 20
4. A method according to claim 3 wherein said marking step comprises passing a fraction of the mark value of the previously marked entity to each entity that communicates with the previously marked entity. 25
5. A method according to claim 3 or claim 4 including a reduction step of reducing the mark values with time.
6. A method according to any one of claims 3 to 5 wherein if said detecting step detects a communication between marked entities, said marking step includes 30 the step of changing the mark values associated with each of the entities as a function of the mark values associated with the entities.
7. A method according to any preceding claim including the step of identifying communications between marked entities. wu YvYiU4 / F'IT/G B 9/U2077 13
8. A method according to any one of claims 3 to 6 including the steps of identifying communications between marked entries, and assigning a value to the communication as a function of the mark values of the marked entities in 5 communication.
9. A method according to claim 8 including the steps of comparing the value of the communication with a predetermined range, and generating a signal if the value is outside the predetermined range. 10
10. A method according to any one of claims 3 to 6, 8 or 9 including the steps of comparing the marks values associated with the entities with a predetermined range, and identifying the or each entity having a mark value associated therewith which is outside the predetermined range. 15
11. A method according to any preceding claim wherein the entities of the communication network include communication nodes as communication originations and/or destinations. 20
12. A method according to claim 11 wherein the entities of the communication network include purported users identified by user related code as communication originations and/or destinations.
13. A method according to any preceding claim wherein in said initial step the 25 one or more entities in the communication network are initially marked with respective unique marks, and in said marking step each entity that communicates with the or each marked entity is marked with the respective unique mark.
14. A method according to any one of claims 1 to 12 including the step of 30 storing the identities of each entity in each detected communication with a marked entity.
15. A method according to any one of claims 1 to 12 including the step of storing information on each detected communication with a marked entity. wu Vyi/Uc / PCT/GB98/02077 14
16. A method according to any preceding claim including the preliminary step of determining which entity in the communication network is to be marked in said initial step based on previous communications by said entities. 5
17. A method of monitoring communications over a network, the method comprising: a marking step of associating marks with entities in the communication network; 10 a detecting step of detecting communications between the marked entities; and a generating step of generating a signal indicative of the detected communications between the marked entities. 15
18. A method according to claim 17 wherein said marking step comprises associating mark values with said entities, said detecting step includes detecting the mark values of the entities in communication, and said generating step comprises generating a value for the communication based on a function of the detected mark values for the communication. 20
19. A method according to claim 18 including the steps of comparing the value for the communication and a predetermined range, and identifying the or each communication having a value outside said predetermined range. 25
20. A method according to any one of claims 17 to 19 wherein the entities of the communication network include communication nodes as communication originations and/or destinations.
21. A method according to claim 20 wherein the entities of the communication 30 network include purported users identified by user related code as communication originations and/or destinations.
22. Apparatus for monitoring communication patterns over a network, the apparatus comprising: wu Y/uailS4 PCT/GB98/02077 15 initial marking means for associating a mark with one or more entities of the communication network; detection means for detecting communications between the or each marked entity and at least one further entity; and 5 marking means for associating a mark with each further entity that communicates with the or each marked entity.
23. Apparatus according to claim 22 wherein said detection means and said marking means are adapted to detect and mark said entities for a plurality of 10 communications.
24. Apparatus according to claim 22 or claim 23 wherein the mark associated with each marked entity has a value, and said marking means is adapted to associate a mark value with each entity that communicates with an entity previously marked, 15 and to calculate the mark value as a function of the mark value of the previously marked entity.
25. Apparatus according to claim 24 wherein said marking means is adapted to pass a fraction of the mark value of the previously marked entity to each entity that 20 communicates with the previously marked entity.
26. Apparatus according to claim 24 or claim 25 including means for reducing the mark values with time. 25
27. Apparatus according to any one of claims 24 to 26 wherein if said detection means detects a communication between marked entities, said marking means is adapted to change the mark values associated with each of the entities as a function of the mark values associated with the entities. 30
28. Apparatus according to any one of claims 22 to 27 including means for identifying communications between marked entities.
29. Apparatus according to any one of claims 24 to 27 including means for identifying communications between marked entities, and means for assigning a wU N/IUs4I PCTIGB98/02077 16 value to the identified communications as a function of the mark values of the marked entities in communication.
30. Apparatus according to claim 29 including means for comparing the value of 5 the communication with a predetermined range, and means for generating a signal if the value is outside the predetermined range.
31. Apparatus according to any one of claims 24 to 27, 29 or 30 including means for comparing the mark values associated with the entities with a 10 predetermined range, and means for identifying the or each entity having a mark value associated therewith which is outside the predetermined range.
32. Apparatus according to any one of claims 22 to 31 wherein the entities of the communication network include communication nodes and communication 15 originations and/or destinations.
33. Apparatus according to claim 32 wherein the entities of the communication network include purported users identified by user related codes as communication originations and/or destinations. 20
34. Apparatus according to any one of claims 22 to 33 wherein said initial marking means is adapted to initially mark the one or more entities in the communication network with respective unique marks, and said marking means is adapted to mark each entity that communicates with the or each marked entity with 25 the respective unique mark.
35. Apparatus according to any one of claim 22 to 33 including means for storing the identities of each entity in each detected communication with a marked entity. 30
36. Apparatus according to any one of claims 22 to 33 including means for storing information on each detected communication with a marked entity. wu V/u4 PCT/GB98/02077 17
37. Apparatus according to any one of claims 22 to 36 including means for determining which entity in the communication network is to be marked by said initial marking means based on previous communications by said entities. 5
38. Apparatus for monitoring communications over a network, the apparatus comprising: marking means for associating marks with entities in the communication network; detection means for detecting communications between the marked entities; 10 and generating means for generating a signal indicative of the detected communications between the marked entities.
39. Apparatus according to claim 38 wherein said marking means is adapted to 15 associate mark values to said entities, said detection means is adapted to detect the mark values of the entities in communication, and said generating means is adapted to generate a value for the communication based on a function of the detected mark values for the communication. 20
40. Apparatus according to claim 39 including means for comparing the value for the communication and a predetermined range, and means for identifying the or each communication having a value outside said predetermined range.
41. Apparatus according to any one of claims 38 to 40 wherein the entities of 25 the communication network include communication nodes as communication originations and/or destinations.
42. Apparatus according to claim 41 wherein the entities of the communication network include purported users identified by user related code as communication 30 originations and/or destinations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| AU2003204506A AU2003204506B2 (en) | 1997-07-22 | 2003-05-30 | Monitoring a communication network |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GBGB9715498.3A GB9715498D0 (en) | 1997-07-22 | 1997-07-22 | Monitoring a communication network |
| GB9715498 | 1997-07-22 | ||
| PCT/GB1998/002077 WO1999005847A1 (en) | 1997-07-22 | 1998-07-15 | Monitoring a communication network |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU2003204506A Division AU2003204506B2 (en) | 1997-07-22 | 2003-05-30 | Monitoring a communication network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| AU8349598A true AU8349598A (en) | 1999-02-16 |
Family
ID=10816305
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU83495/98A Abandoned AU8349598A (en) | 1997-07-22 | 1998-07-15 | Monitoring a communication network |
Country Status (9)
| Country | Link |
|---|---|
| EP (1) | EP0995302B1 (en) |
| JP (1) | JP2001511626A (en) |
| AU (1) | AU8349598A (en) |
| CA (1) | CA2296328C (en) |
| DE (1) | DE69829289T2 (en) |
| ES (1) | ES2239808T3 (en) |
| GB (1) | GB9715498D0 (en) |
| HK (1) | HK1028311A1 (en) |
| WO (1) | WO1999005847A1 (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5357564A (en) * | 1992-08-12 | 1994-10-18 | At&T Bell Laboratories | Intelligent call screening in a virtual communications network |
| US5805686A (en) * | 1995-12-22 | 1998-09-08 | Mci Corporation | Telephone fraud detection system |
-
1997
- 1997-07-22 GB GBGB9715498.3A patent/GB9715498D0/en active Pending
-
1998
- 1998-07-15 DE DE69829289T patent/DE69829289T2/en not_active Expired - Fee Related
- 1998-07-15 ES ES98933799T patent/ES2239808T3/en not_active Expired - Lifetime
- 1998-07-15 EP EP98933799A patent/EP0995302B1/en not_active Expired - Lifetime
- 1998-07-15 AU AU83495/98A patent/AU8349598A/en not_active Abandoned
- 1998-07-15 CA CA002296328A patent/CA2296328C/en not_active Expired - Fee Related
- 1998-07-15 WO PCT/GB1998/002077 patent/WO1999005847A1/en active IP Right Grant
- 1998-07-15 JP JP2000504699A patent/JP2001511626A/en active Pending
-
2000
- 2000-10-18 HK HK00106612A patent/HK1028311A1/en not_active IP Right Cessation
Also Published As
| Publication number | Publication date |
|---|---|
| DE69829289D1 (en) | 2005-04-14 |
| ES2239808T3 (en) | 2005-10-01 |
| WO1999005847A1 (en) | 1999-02-04 |
| CA2296328C (en) | 2006-07-11 |
| CA2296328A1 (en) | 1999-02-04 |
| EP0995302B1 (en) | 2005-03-09 |
| JP2001511626A (en) | 2001-08-14 |
| DE69829289T2 (en) | 2006-04-13 |
| EP0995302A1 (en) | 2000-04-26 |
| GB9715498D0 (en) | 1997-10-01 |
| HK1028311A1 (en) | 2001-02-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6801606B1 (en) | Fraud monitoring system | |
| US5504810A (en) | Telecommunications fraud detection scheme | |
| EP0618713B1 (en) | Real-time fraud monitoring system in a telecommunication network | |
| CA2327338C (en) | Automated and selective authentication in transaction-based networks | |
| US7406161B2 (en) | System and method for real-time fraud detection within a telecommunication network | |
| US6078647A (en) | Method and apparatus for detecting a data service provider in a public switched telephone network | |
| US6556669B2 (en) | International origination to domestic termination call blocking | |
| CA2401159A1 (en) | Termination number screening | |
| US6466778B1 (en) | Monitoring a communication network | |
| CA2296328C (en) | Monitoring a communication network | |
| AU2003204506B2 (en) | Monitoring a communication network | |
| US20020186825A1 (en) | Service management system blocking | |
| US6590967B1 (en) | Variable length called number screening | |
| AU2003204508B2 (en) | Fraud monitoring system | |
| Field et al. | Techniques for telecommunications fraud management | |
| TR201612555A1 (en) | A METHOD FOR DETERMINING FRAUD IN INTERNATIONAL TELECOM CALLS BY ANALYSIS OF DOMESTIC SEARCH RECORDS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MK5 | Application lapsed section 142(2)(e) - patent request and compl. specification not accepted |